Web Authentication (WebAuthn) API

I'm pretty excited to see that WebAuthn got upgraded to a "Candidate Recommendation" in the W3C today. Major browser support is coming soon as well - Chrome (in stable channel by v67), Firefox, and Edge have all committed to implementing support this year.

Not sure if this will have any impact on 1Password but I think it's a promising move for web security overall. Hopefully major sites will not take too long to start adopting it (I imagine current Fido supporters like Google and Github will be among the first.)

It might be too soon to know, but if anyone has heard of major sites planning support for WebAuthn I would be quite interested to start an informal running list.

Comments

@EnerJi: It's definitely interesting. But as excited I get about nerdy stuff like this, it's always tempered by the fact that it's just not something the vast majority of humans will use. I love the technology here, and I think it's an important step toward a better future. Hopefully someday all of this will lead to something both secure and usable for everyone.

I'd also be interested to know of sites that already support this, but I suspect that those who plan to will mostly just wait until browsers have support for this. I don't know if that's the chicken or the egg, but it's a good place to start I think.

Since Firefox and Chrome have already said they are planning to support WebAuthn for biometric passwords, I was wondering if 1Password plans to leverage this so we can use fingerprint unlock devices that support them.

It's too early for me to comment on WebAuthn, but from what I've seen it's well on its way to becoming an approved web standard by the W3C being that it's currently in the "candidate recommendation" stage.

As you may know, both 1Password for Windows and Mac allow users to unlock using either Windows Hello or Touch ID. A more straightforward (relatively so) first step for us is to communicate and securely share a lock state with one of our native 1Password apps for folks who have them installed.

I can't make any promises since we can't predict the future, but I think the fact that 1Password X exists is pretty decent evidence we love to build apps using the latest web technologies. Using Firefox as an example, 1Password X can't run on their stable version (59) – that's how new (at least to Firefox) the APIs we use are.

Sorry that I couldn't give you a more direct answer, but answers for the future of 1Password change on a near-daily basis which really keeps things interesting around here. 🤘

@brenty I hope perhaps something like this will go truly mainstream, but it's probably a long way out. I agree it will probably take quite a while for the chicken/egg problem to be solved. I was perhaps a bit overoptimistic about this. Still something interesting to keep an eye on.

I hope perhaps something like this will go truly mainstream, but it's probably a long way out. I agree it will probably take quite a while for the chicken/egg problem to be solved. I was perhaps a bit overoptimistic about this. Still something interesting to keep an eye on.

@EnerJi: Totally! Thanks for bringing it up. This is fascinating stuff, and part of the fun is seeing how things play out in the real world.

I've just started implementing WebAuthn in a few internal apps, and this is the future. To be honest, I'm quite surprised it's taken us this long to standardize an imposter/eavesdropper-resistant approach to web authentication.

I personally use (and soon my company will use) 1Password exclusively for user secret storage. Adding WebAuthn Authenticator functionality to 1Password would be spectacular for promoting general adoption of this superior technology, since the UX inside 1Password could be so similar between WebAuthn and passwords. Further, 1Password's zero-knowledge approach is far more desirable than say, Google's, which ships user credentials off to servers in a way that makes them susceptible to a breach, subpoenas, etc.

This certainly isn't urgent... but it would be really cool to see 1Password lead the way in this!

Not a fan of biometrics, when one is compromised you lose a finger..... and that could be per device (so, I lose a finger for all apple devices) or if someone starts taking down fingerprint databases and generating the right hashes... I'll pass and stick to user id/password and a second factor like Yubikey. Even hardware token alone bugs me, like FIDO2. Since a coworker can just get my keys with my sec key! But WebAuth is just a way to communicate and not necessarily an authentication solution per se.

Biometrics, like many authentication methods, are very useful in addition to a secret that you have full control over -- especially since biometric data is not really secret, as you mentioned. I think it's tempting to get overly enthusiastic about new technologies because they're so dang cool, but with time we can all get a better handle on what they are (and are not) good for.